I've got a script that sets some session values before redirecting to / using header().
I've read many posts about the $_SESSION variable being destroyed / lost after header(), even after I implemented this:
// set session here
session_regenerate_id(true);
session_write_close();
header("Location: /");
session_start() is set in the correct places, does anyone know of anything that I might be missing?
On the index.php page I have this:
session_start();
print_r($_SESSION);
// outputs nothing :'(
The code is pretty complex so will not post it all, just snippets.
I've never seen any session related issues due to using location headers - are you sure you're calling session_start on both pages?
Hmm... this answer made a lot more sense before you added the session_start bits above, and mentioned the fact that you were sure you were using session_start. :-)
header must be sent before session close
session_regenerate_id(true);
header("Location: /");
// the header must be sent before session close
session_write_close(); // here you could also use exit();
just put exit; after header :D I solved by this
After the Header redirect you need to exit the PHP script:
header("Location: /");
exit();
In the interest of closing this question, we had concluded it was a problem with the server configuration, not surprising considering the host is well known for this kind of thing.
One possible option that was not mention here and happened to me is that I was creating another session. When you're using session in php you can use only one session at a time. If you create a new session the old one is lost. This is more likely to happen when you create a session for login and maybe you want another session for something else(It's not that recommended anyway). My case was a flash() method which I used to create a session only once a post was added/updated/deleted. And use that session in the views to display a message then destroy it. Every time I created a new session while adding/updating/deleting the other session that I used for login was destroyed. This is not something that happens to often but it's possible.
I had the same problem, I found that using a function related to Session helps to ensure if you started a session or not
if(session_status == PHP_SESSION_NONE)
session_start();
You don't need to start session_start() in each page. cuz untill your browser is closed the same session remains for the entire path you have specified in php.ini
Related
A novice php learner. I read in a book, and continue to see this at certain forums and tutorials that the statement: session_start() is required to access all global session variables. And yet, multiple solutions offered at stackoverflow suggest using a block of this sort:
if(!(_isset($_SESSION['user']))){
session_start()
}
to be able to access the session variables. Based on my understanding, the session variable $_SESSION['user'] could only have been set at a previous php file by starting a session, and is "only" visible to the current page after the session_start() statement is called. Yet it produces the notice:
Notice: A session had already been started - ignoring session_start().
what am i missing?
Thanks everybody!
Your first block of code should be checking if the session variable is set, rather than the user variable exists in the session:
if(!isset($_SESSION)) {
session_start();
}
However, if you just ensure that you only have a single session_start() per page then you can avoid the "A session had already been started" notice.
session_start() is required to read / set any session variables.
Generally, I would think your code should look like this:
session_start()
if(!(_isset($_SESSION['user']))){
// do stuff here
}
However, the error message implies that you have already started the session elsewhere in your file.
You might have auto_start turned on somewhere (php.ini, .htaccess, etc)?
http://www.php.net/manual/en/session.configuration.php#ini.session.auto-start
Here is a scenario where your error would be triggered :
index.php:
<?php session_start();
require_once('some-page.php'); ?>
some-page.php:
<?php session_start(); // this would make an error when included to index.nl ?>
some-page.php should not have session-start in it as index.php already has started the session.
Also note that going to another page or even closing the tab will not reset your session variables ! so if you set S_SESSION['user'] = 'someuser'; , you close the tab and go to the website again, the session is still there and $_SESSION['user'] would still have someuser as value ! to manualy destroy the session , use session_destroy();
Basically none of my scripts work without a session regeneration check at the top of the file, this is very strange because I've never had this issue before and I have no idea why it would force me to run this code. Below is my logout, then below that is what I have to put at the top of every single file that touches the sessions in order to make it work. Any ideas on what is wrong?
Logout:
require_once("../Core/Core.php");
if(!isset($_SESSION['LoggedIn']))
Core::ThrowError(13,"",1);
session_destroy();
header("Location: " . Core::$url);
Required to make it work: (Also I'm putting this on every page that the user views (so no things like login script page) )
<?
session_start();
if(!isset($_SESSION['started']))
{
session_regenerate_id();
$_SESSION['started'] = true;
}
?>
Update 1:
After adding session_start() above where I add data to variables I'm now able to put data into the session (Although the session was already started because it's started before you even view the login page) but when I call session_destroy() it returns false as if the session doesn't exist, but then I put session_start() above the session_destroy() and it works fine! This is really dumb whatever it is... Please help.
Update 2:
It appears I can only access session data if I put session_start() before trying to access it even if the session is already stated.
Okay I managed to fix it, I didn't know that "To use cookie-based sessions, session_start() must be called before outputing anything to the browser." so to fix it I put session_start() in the core which is required by everything so everything would call it before trying to access the sessions.
I'm sorry guys -- after two hours of looking and commenting out and so on, I found one tiny include that was referencing a redirected domain. Somehow this threw everything else off. I'm still not sure why, but by fixing that file to the new domain I was able to fix it. Again, thanks for your help and time in replying to me!
I'm fairly familiar with sessions in PHP, yet I can't tell why these session variables are not sticking on this login system I have. When I log in, I get successfully sent to the index page, but any pages therein I get kicked back to the login page, and also when I reload the index page. I have echoed the session variable $_SESSION['login'] on the index page to make sure its value has accurately been carried over, and it's is there..
... code removed
My wild guess but usually a problem I always encounter in Apache under Linux when dealing with sessions.
Check session.save_path in php.ini. If there's a path there and doesn't exist in your system, create it e.g. session.save_path = "/var/lib/php/session". I'm guessing PHP cannot create session files and thus session won't persist across pages. Give the folder a write permission too, try 0777 (but it's not the best permission as it allows all users). HTH!
Why are you destroying the session during login? This is probably a reason.
session_start();
session_unregister('login');
session_write_close();
session_start();
session_destroy();
You probably might just call session_start() and clear 'login' session value:
<?
$ERRBG="";
$ERRMSG="";
session_start();
$_SESSION['login'] = null;
require_once("db/mysql_connect.php");
.......
Use session_start() only once in the php page at the starting
Do not use session_destroy().
If you want to remove session variable, use unset function.
In case if you want to remove all the variables use session_unset function
Use session_destroy() as the logout operation
Please do this step :
use session_start() at the top of page after <?php just once .
don't destroy session
write var_dump($_SESSION) on in your test-index and write it in that
page when you click on it , it's
redirect to login page ( insert
die() after it ) !
I think session start in your test-index but not in your other page
report result to me !
For logging out a user from my website, I am redirecting the page to logout.php where I am using session_destroy() function. Even there also, logout functionality is not working without session_start() function. By adding session_start() function before session_destroy() function, I am able to logout the user successfully.
Why do I need to use session_start() function everytime and in every page where I am doing something related to sessions?
session_destroy() destroys the active session. If you do not initialized the session, there will be nothing to be destroyed.
Why do I need to use session_start() function everytime and in every page where I am doing something related to sessions?
So PHP knows which session to destroy. session_start() looks whether a session cookie or ID is present. Only with that information can you destroy it.
In the default configuration, PHP Sessions operate off of the hard disk. PHP asks you to explicitly tell it when you need this support to avoid unnecessary disk IO.
session_start() also tells PHP to find out if the user's session exists.
session_start() creates a session or
resumes the current one based on a
session identifier passed via a GET or
POST request, or passed via a cookie.
as per http://php.net/manual/en/function.session-start.php
Essentially by calling session_start(), PHP reads the header and cross references that session ID to what is on your system(file system/database/etc), which can then populate the $_SESSION that is relavent to that specific user. Which in turn allows you to call session_destroy() because it knows what session to actually destroy.
consider session_start() as your way of telling the php engine.... that you want to work with sessions.
and, as i understand it, always make that to be the first line ever in php page.
I was confused with the usage of session_start(); and every time I was using a session variable, I was calling session_start. Precisely, I had session_start(); more than once on each page (without even calling session_destroy()). For example,
// 1st call
session_start();
if (!isset($_SESSION['UserID']))
{
// Do something
}
else
{
// Do something else
}
// .... some other code
// 2nd call
session_start();
if (!isset($_SESSION['UserID']))
{
// Do something totally different
}
else
{
// Do something else totally different
}
This was creating a performance issue for me. So I ended up calling session_start(); just once at the very top of the page and everything seems to be working fine.
You have to call session_start once (and only once) in every file you want sessions to work in.
A common approach allowing you to only call it once is to have a dispatcher file as your index.php; call session_start in here and have this page include others based on the url's $_GET.
<?php
session_start();
if(isset($_GET['page']) && file_exists('pages/'.$_GET['page'].'.php') {
include $_GET['page'];
}
?>
//www.mysite.com/index.php?page=fish will display /pages/fish.php with session access
I have read through the php manual for this problem and it seems quite a common issue but i have yet to find a solution. I am saving sessions in a database.
My code is as follows:
// session
$_SESSION['userID'] = $user->id;
header('Location: /subdirectory/index.php');
Then at the top of index.php after the session_start(), i have var_dumped the $_SESSION global and the userID is not in there. As i said ive looked through the PHP manual (http://php.net/manual/en/function.session-write-close.php) and neither session_write_close or session_regenerate_id(true) worked for me.
Does anybody know a solution?
Edit: I have session_start() at the top of my file. When i var_dump the session global before the header redirect, i see the userID in there, but not in the other file, which is in a subdirectory of this script
I know this is an old toppic but I found the solution (for me).
I've put a exit after the header.
$_SESSION['session'] = 'this is a session';
header('location: apage.php');
exit;
This works for me
#Matt (not able to comment yet...): If:
a) It appears in the session before redirect
b) other keys work
80% of the time the problem is register_globals, and use of a equally named variable $userID somewhere (the other 19% is just overwriting in places one doesn't expect, 1% is unable to write/lock session before redirect and stale data, in which case you could try session_write_close() before the redirect). It goes without saying register_globals should be off :P
I haven't heard of this issue, but I haven't used sessions all that much.
With sessions you MUST do a few things and have a few setting setup:
cookies enabled on client side
session_start(), before anything happens
make sure you don't destroy the session(unless they want to logout)
The PHP session id must be the same (relates to cookies)
Another issue could be the $user->id is returning a reference to an object that doesn't exist on the next page. Most likely not, but make sure.
If I saw your code I could help you a lot more. But when debugging check the session key with session_id() and make sure it's the same. If you could try that then tell me I could keep helping.
I too would like to know how this ends up for when I get back into sessions.
You should start the session before using the session array.
PHP Code,
session_start();
$_SESSION['userID'] = $user->id;
header('Location: /subdirectory/index.php');
Have you got an session_start(); on the top?
Not tested but cant you do something like this:
session_start();
$_SESSION['userID'] = $user->id;
if( $_SESSION['userID'] == $user->id )
{
header('Location: /index.php');
}
I never have this Problem before, interesting
userID does not have any keyword status.
Only reason to me, is $_SESSION['userID'] is being overwritten or deleted somewhere.
Make sure you use session->start() in all the files you want to add/access the session.
One important thing ( which may not be applicable in your case ) is, if the session is being handled using cookie, cookie can be made to be accessible only under certain directory and subdirectories under that.
In your case anyhow, subdirectory will have access to the session.
Make sure both pages are the same php version
(php5, php4 sometimes have different session paths)
I had the same problem recently. I'm writting a customized MVC Website for school and, as everyone told, start_session() must be written in the very first lines of code.
My problem was THE LOCATION of "session_start()". It must be the first lines of your global controller, not the first lines of the view. $_SESSION was not accessible in controller's files because it was only initiated when the server render the view.
Then, I'm using session_write_close() after the header('location: xxx.php') call to keep session variables for the next request.
ex:
globalController.php :
//First line
session_start();
require_once('Model/Database.php');
require_once('Model/Shop/Client.php');
...
logonController.php:
...
//Users is validated and redirected.
$_SESSION['client'] = $client;
header('location: index.php');
session_write_close();
Hope it solved your problems.
This was annoying as hell but I finally figured out a solution.
config.php i had:
include 'session.php';
At the top of session.php, I had:
session_start();
By moving session_start() to the top of the config.php file, viola...
Problem solved!
Another option than killing your script forcefully with exit is to use session_write_close to force the changes to be written to the session store.
This should however not happen if your script is terminating correctly.
As the documentation about session_write_close states:
End the current session and store session data.
Session data is usually stored after your script terminated without
the need to call session_write_close(), but as session data is locked
to prevent concurrent writes only one script may operate on a session
at any time. When using framesets together with sessions you will
experience the frames loading one by one due to this locking. You can
reduce the time needed to load all the frames by ending the session as
soon as all changes to session variables are done.
In my case this only happened during debugging with Xdebug, when I triggered the same script multiple times and thus multiple process tried to manipulate the same session. Somehow the session could then no longer be unlocked.